Ransomware Attacks on Backups: 96% of Target Backups

The statistics are in, and they’re not pretty. Ransomware attacks on backups have become the norm, not the exception. According to recent data from Veeam and Sophos, 96% of ransomware incidents now include attempts to compromise backup infrastructure. If you round that up, it’s basically every single attack.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/

Why Ransomware Attacks on Backups Have Become Standard Practice

Let’s think about this from the attacker’s perspective for a minute. They’ve gotten into your environment, they’ve encrypted your production systems, and now they want you to pay up. What’s standing between them and that payday? Your backups.

If you can recover from backups, you don’t need to pay the ransom. So what do smart attackers do? They go after your backups first. Ransomware attacks on backups eliminate your safety net before you even know you need it.

But there’s another reason attackers love targeting backup infrastructure: it’s a treasure trove. Think about what backups actually are—they’re a copy of your entire production environment sitting in one place. All your sensitive data, all your intellectual property, all your customer information, concentrated and waiting. For attackers looking to exfiltrate data for double extortion, your backup repository is a one-stop shop.

The Readiness Gap: Ransomware Attacks on Backups vs. Actual Preparation

Here’s where it gets really concerning. The Veeam Data Protection Trends Report shows that only about 25% of organizations believe they weren’t hit by ransomware in the past year. That means 75% were attacked at least once, with many facing multiple incidents.

But when we look at preparedness for ransomware attacks on backups, only about a quarter of organizations feel confident in their defenses. We’ve got a situation where attacks are nearly universal, backup targeting is standard operating procedure, and most organizations aren’t ready.

The Sophos data backs this up. They found that in 94% of ransomware attacks on backups, the attackers specifically attempted to compromise backup repositories. The success rate varies by organization, but the intent is clear: your backups are not just a secondary target—they’re a primary objective.

Recovery Reality: Why Ransomware Attacks on Backups Extend Downtime

Another stat that should concern everyone: less than 7% of companies recover from ransomware within a day. Over a third take more than a month to get back to normal operations.

Why does it take so long? It’s not the restore itself. With modern backup systems, the actual data recovery can happen relatively quickly. The problem is everything that comes before the restore button gets pressed.

When ransomware attacks on backups succeed—or even when they’re just attempted—you have to figure out what happened. How did the attackers get in? How long were they in your environment? What did they touch? Are your backups clean, or did the attackers plant something that will reinfect you the moment you restore?

This forensic investigation is what kills recovery times. You can’t just blow everything away and restore—you need to understand the attack before you can safely recover. And if your backup infrastructure was compromised, that investigation gets even more complicated.

Defending Against Ransomware Attacks on Backups

So what actually works? After years of watching organizations succeed and fail at ransomware recovery, I’ve concluded that one thing matters more than anything else: true immutability.

I’m not talking about the marketing version of immutability where someone with admin credentials can still delete data. I’m talking about actual, write-once storage where even you—the backup administrator—cannot delete or modify the backups within a defined retention period.

Why is this the only real answer? Because if it’s a computer and it’s connected to the network, it’s hackable. You can reduce risk through better practices, but you can’t eliminate it. Ransomware attacks on backups succeed because attackers eventually find a way in. Immutability means that even when they get in, they can’t destroy what matters most.

Beyond immutability, here’s what I recommend:

Separate your backup infrastructure. Don’t use the same identity and access management system for your backups that you use for production. If an attacker compromises your Active Directory or Entra ID, they shouldn’t automatically have access to your backup systems. Consider local authentication with a separate password manager for backup systems.

Implement MFA everywhere. Passkeys are even better if your systems support them. Ransomware attacks on backups often exploit stolen credentials, so adding that second factor makes a real difference.

Treat backup infrastructure as a target. Don’t leave the keys in the ignition, so to speak. Your backup systems need the same security attention—maybe more—than your production systems.

The Bottom Line on Ransomware Attacks on Backups

The statistics tell a clear story: ransomware attacks on backups are happening in almost every incident. The attackers understand that your backup infrastructure is the key to whether you pay or recover. They’ve adapted their playbooks accordingly.

The question isn’t whether your organization will face a ransomware attack. Statistically, it’s going to happen. The question is whether you’ll have clean, accessible backups when you need them most.

If your backup infrastructure isn’t prepared for ransomware attacks on backups—with true immutability, separated authentication, and proper security controls—you’re essentially hoping the attackers will overlook your most critical recovery asset. And with a 96% targeting rate, hope isn’t a strategy.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data